Agent Trust Fabric
What this is. SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. The Agent Trust Fabric is the single runtime verdict that tells an agent host, MCP gateway, SOC workflow, or reviewer: this agent run is trusted, needs step-up, is untrusted, or must be killed.
The product bet
Enterprise reviewers do not want a pile of agent safety checklists. They want one answer before an agent touches tools or private context:
Can we trust this agent, for this workflow, in this tenant, right now?
The Agent Trust Fabric composes six dimensions into that answer:
- Identity - who the agent is, which delegated identity it is using, and whether that identity still has valid scope.
- Context - what the agent is consuming, whether the context is fresh, and whether poisoning signals were found.
- Scope - where the agent can go and which action class is being attempted.
- Behavior - what the agent is doing in real time and whether telemetry can reconstruct the run.
- Data boundary - what the agent is sending or serving outside the trust boundary.
- Containment - whether kill switches, SOC detections, and hosted MCP controls can stop the run when prevention fails.
That is the review-ready wedge: open knowledge creates adoption; the production MCP server becomes the control point that signs trust verdicts for customer-private agent runs.
What was added
data/assurance/agent-trust-fabric-profile.json- source contract for trust dimensions, tiers, runtime fields, source references, and trusted-source path.data/evidence/agent-trust-fabric-pack.json- generated MCP-readable trust fabric evidence.recipes_agent_trust_fabric_pack- MCP lookup by dimension, workflow, trust tier, or status.
Evaluate a trusted scoped run:
Evaluate a trust break:
What is inside
| Section | Purpose |
|---|---|
trust_fabric_summary |
Dimension count, workflow count, trust-tier distribution, source pack count, and failure count. |
trust_contract |
Default fail-closed state, required runtime fields, score thresholds, evidence sources, and kill signals. |
trust_dimensions |
The identity, context, scope, behavior, data-boundary, and containment checks, with MCP tools and evidence paths. |
trust_tiers |
Intern, Apprentice, Operator, and Principal tiers with score gates and allowed actions. |
workflow_trust_matrix |
Generated default trust tier and risk flags for every active workflow. |
tabletop_cases |
Ready-made allow, hold, deny, and kill cases for platform testing. |
source_artifacts |
Hashes and paths for each evidence pack used to build the trust fabric. |
MCP examples
Get the executive summary and trust matrix:
{}
Inspect one dimension:
{
"dimension_id": "identity"
}
Inspect a workflow:
{
"workflow_id": "vulnerable-dependency-remediation"
}
Find workflows that default to Operator:
{
"trust_tier": "operator"
}
Evaluate one agent trust request:
{
"workflow_id": "vulnerable-dependency-remediation",
"run_id": "run-123",
"agent_id": "sr-agent::vulnerable-dependency-remediation::codex",
"identity_id": "sr-agent::vulnerable-dependency-remediation::codex",
"tenant_id": "tenant-a",
"correlation_id": "corr-123",
"trust_event_id": "trust-123",
"requested_trust_tier": "operator",
"intent_summary": "Patch dependency lockfiles on a scoped remediation branch.",
"context_package_hash": "sha256:context",
"policy_pack_hash": "sha256:policy",
"authorization_decision": "allow_authorized_mcp_request",
"egress_decision": "allow_internal_context",
"action_runtime_decision": "allow_bounded_action",
"telemetry_decision": "telemetry_ready",
"soc_decision": "no_alert",
"telemetry_event_id": "trace-123",
"receipt_id": "receipt-123",
"source_freshness_decision": "current",
"human_approval_record": {
"approval_id": "approval-123",
"status": "approved"
}
}
Why it is review-ready
The trust fabric makes the site easier to understand and easier to sell. It creates one cross-vendor primitive that xAI, Anthropic, OpenAI, an AI platform vendor, or a security vendor could attach to agent hosts, MCP gateways, customer telemetry, and trust-center exports:
- hosted trust scoring APIs,
- signed agent trust verdicts,
- customer policy adapters,
- SOC/SIEM export,
- procurement evidence export,
- runtime step-up and kill decisions,
- trust-center proof for design partners,
- a direct bridge from open knowledge to production MCP enforcement.
Industry alignment
The pack is anchored in current primary guidance:
- CSA ATF: Zero Trust for AI Agents for identity, behavior, data governance, least privilege, and containment.
- NIST AI Agent Standards Initiative for trusted, interoperable, secure agent standards.
- NIST CAISI AI Agent Security RFI for indirect prompt injection, poisoning, misaligned actions, and constrained deployment access.
- MCP Authorization 2025-11-25 for protected-resource metadata, scope challenges, resource indicators, token audience validation, and token-passthrough denial.
- OWASP MCP Top 10 for token exposure, scope creep, tool poisoning, command execution, insufficient auth, shadow MCP servers, and over-sharing.
- OpenAI Agents SDK Guardrails for guardrail placement around first input, final output, and function-tool calls.
- OpenTelemetry GenAI agent spans for portable agent and tool execution traces.